WilliamLam.com

That's so cool! Running ESXi 5.0 & 5.1 on Apple Mac Mini

by // 39 Comments

Those of you who follow me on twitter should know that I recently got my hands on an Apple Mac Mini Server (Thanks Randy K.) and are probably thinking I would install Apple OSX on the Mini. Nope! I am actually running vSphere ESXi 5.0 or 5.1 on the Mac Mini!

UPDATE (12/21): Yo no longer need to create a customized ESXi ISO for Apple Mac Mini, the necessary drivers are now included in the new ESXi 5.0 Update 2 and will work out of the box. Please take a look at this article for more details.

UPDATE (01/18): To run ESXi 5.1 on Mac Mini 5,1 or 5,3 please follow the same steps outlined below but for an ESXi 5.1 ISO image. If you are trying to run ESXi 5.0 or 5.1 on the new 2012 Apple Mac Mini 6,2 please refer to this blog post for the instructions.

Disclaimer: This is not officially supported by VMware. Use at your own risk.

Note: I did not have a spare monitor at home and luckily the Mac Mini has a DVI output which I was able to connect to my 46" TV. Nothing like ESXi on the big screen 🙂

Even though this is not officially supported by VMware, it is still a very cool solution and the Mac Mini is great form factor for a vSphere home lab. I also want to mention that this was only possible with the research from the folks over at Paraguin Consulting who initially blogged about the process needed to get ESXi 5 running on a Mac Mini. I would highly recommend you check out their blog post which provides additional details as well as a step by step installation guide including screenshots for each step.

I did not have access to an Apple Super Drive which is what the Paraguin folks used in their installation guide, as they thought formatting a USB key would have taken too long ... and who has a CD burner these days? 😉 There is also an additional step that is needed to get network connectivity which requires the user to manually install a network driver on the ESXi host.

I decided to go down the route of using a USB key to perform the installation and using a spare 1GB USB key, I created a custom ESXi installation that included the network driver which allows for network connectivity during and after the installation.

What you will need:

Step 1 - Extract the offline bundle "tg3-3.120h.v50.2-offline_bundle-547149.zip" from Broadcom zip file

Step 2 - Use Image Builder to add the Broadcom driver and create a custom ESXi 5 ISO (steps taken from this VMware KB article)

# Add the ESXi 5.0 Update 1 Offline Bundle

Add-EsxSoftwareDepot "C:\VMware-ESXi-5.0.0-623860-depot.zip"

# Add the Broadcom Offline VIB

Add-EsxSoftwareDepot "C:\tg3-3.120h.v50.2-offline_bundle-547149.zip"

# Create a new Image Profile (in example, I'm using the full version w/tools)

New-EsxImageProfile -CloneProfile "ESXi-5.0.0-623860-standard" -name "ESXi50u1-Custom"

# Add the broadcom driver to our Image Profile

Add-EsxSoftwarePackage -ImageProfile "ESXi50u1-Custom" -SoftwarePackage "net-tg3"

# Create an ISO from our custom Image Profile

Export-EsxImageProfile -ImageProfile "ESXi50u1-Custom" -ExportToISO -filepath C:\VMware-ESXi-5.0u1-Custom.iso

Step 3 - Plug in a USB key into your system and run UNetbootin which will take the custom ISO we just created and make it bootable on the USB key

Step 4 - Finally, power on your Mac Mini and plug in the USB key. You can either hold the "Alt/Option" key while the system is booting and select the EFI volume OR just plug the USB key and the ESXi installer should automatically start up.

After a few minutes, you should now have ESXi 5 running on your Mac Mini, here is my setup:

Note: If you wish to add a custom kickstart file so it automatically installs and configures the host, take a look at this blog post for the details. If you want the Mac Mini to automatically boot from USB without having to press the "Alt/Option" key after installation, you can set the default boot device by following this article here.

Since you are running ESXi on Apple hardware, you can also create Mac OSX Virtual Machines (10.5 Server and 10.6 Server) and with the latest release of vSphere 5.0 Update 1, OSX 10.7 (Lion) is now officially supported. To install OSX 10.7 as a VM, make sure you follow the instructions here.

Here is a screenshot of running OSX Lion 64bit as a VM running on ESXi 5 running on a Mac Mini 😀

If you are looking to refresh your vSphere home lab, definitely consider looking at the Mac Mini, which can get up to a max of 16GB of memory. Also if you are wondering if other people are doing this, I would recommend you check out Christopher Well's vSamarai blog here which details his experience using the Mac Mini as well as voting for his VMworld CFP which will also include topic about running ESXi on Mac Mini.

I want to thank Randy K. again for lending me the Mac Mini, you rock dude! Hopefully this will not be the last article about the Mac Mini 😉

Additional Resources:

vSphere Security Hardening Report Script for vSphere 5

by // 10 Comments

The much anticipated vSphere 5 Security Hardening Guide was just released last week by VMware and includes several new guidelines for the vSphere 5 platform. In addition to the new guidelines, you will also find that the old vSphere 4.x guideline identifiers (e.g. VMX00, COS00, VCENTER00) are no longer being used and have been replaced by a new set of identifiers. You might ask why the change? Though I can not provide any specifics, but rest assure this has been done for a very good reason. There is also a change in the security guidance levels, in the vSphere 4.x guide, you had enterprise, SSLF and DMZ and with the vSphere 5 guide, you now have profile1, profile2 and profile3 where profile1 provides the most secure guidelines. To get a list of all the guideline changes between the 4.1 and 5.0 Security Hardening Guide, take a look at this document here.

I too was impacted by these changes as it meant I had to add additional logic and split up certain guidelines to support both the old and new identifiers in my vSphere Security Hardening Script. One of the challenges I faced with the old identifiers and creating my vSphere Security Hardening Script is that a single ID could be applicable for several independent checks and this can make it difficult to troubleshoot. I am glad that each guideline is now an individual and unique ID which should also make it easier for users to interpret.

To help with your vSphere Security Hardening validation, I have updated my security hardening script to include the current public draft of the vSphere 5 Security Hardening Guide. You can download the script here.

Disclaimer: This script is not officially supported by VMware, please test this in a development environment before using on production systems.  

The script now supports both a vSphere 4.x environment as well as vSphere 5.0 environment. In addition to adding the new guideline checks and enhancing a few older ones, I have also included two additional checks that are not in Hardening Guide which is to verify an ESX(i) host or vCenter Server's SSL certificate expiry. I recently wrote an article on the topic here, but thought this would be a beneficial check to include in my vSphere Security Hardening Script. If you would like to see the verification of SSL certificate expiry in the official vSphere 5 Security Hardening Guide, please be sure to provide your feedback here.

Here is a sample output for the Security Hardening Report for a vSphere 5 environment using "profile2" check:
vmwarevSphereSecurityHardeningReport-SAMPLE.html

UPDATE (06/03/12): VMware just released the official vSphere 5 Security Hardening Guide this week and I have also updated my script to include all modifications. If there are any feedback/bug reports, please post them in the vSphere Security Hardening Report VMTN Group.

If you have any feedback/questions, please join the vSphere Security Hardening Report VMTN Group for further discussions.

How to Create Bootable ESXi 5 ISO & Specifying Kernel Boot Options

by // 21 Comments

This week I helped to answer a few questions about creating your own ESXi 5 bootable ISO along with automatically using a static IP Address when the custom ISO first boots up. Although all this information is available via the vSphere documentation, it may not always be easy to put all the pieces together and thought I share the steps for others to also benefit.

You will need access to a UNIX/Linux system and a copy of the base ESXi 5 ISO image. In this example I will be using VMware vMA and VMware-VMvisor-Installer-5.0.0.update01-623860.x86_64.iso and walk you through two different configurations. We will also be referencing the vSphere documentation Create an Installer ISO Image with a Custom Installation or Upgrade Script and Kernel Boot Options.

Create ESXi 5 Bootable ISO w/Remote ks.cfg:

In this configuration, we will create a custom ESXi ISO that will boot with a static IP Address and use a remote ks.cfg (kickstart) configuration file.

Step 1 - Mount base ESXi ISO using the "mount" utility:

$ mkdir esxi_cdrom_mount
$ sudo mount -o loop VMware-VMvisor-Installer-5.0.0.update01-623860.x86_64.iso esxi_cdrom_mount

Step 2 - Copy the contents of the mounted image to a local directory called "esxi_cdrom":

$  cp -r esxi_cdrom_mount esxi_cdrom

Step 3 - Unmount the ISO after you have successfully copied it and change into the esxi_cdrom directory

$ sudo umount esxi_cdrom_mount
$ cd esxi_cdrom

Step 4 - Edit the boot.cfg and specifically the "kernelopt" line to not use the weasel installer but kickstart and also specifying the remote location of your ks.cfg. To get more details on the various kernel boot options, please take a look at the vSphere Boot Options documentation above.

You will also need to specify the static IP Address you wish to have the host automatically use when the ISO first boots up on the same line.

Step 5 - Once you have finished your edits and saved the boot.cfg, you will now change back to the parent directory and use the "mkisofs" to create your new bootable ISO. In this example, we will name the new ISO "custom_esxi.iso":

$ sudo mkisofs -relaxed-filenames -J -R -o custom_esxi.iso -b isolinux.bin -c boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table esxi_cdrom/

You now have a new bootable ESXi 5 ISO called "custom_esxi.iso" which will now automatically boot up with the specified static IP Address and install based on the ks.cfg that was specified.

Create ESXi 5 Bootable ISO w/Local ks.cfg:

Similar to the above configuration, we will create a custom ESXi ISO that will boot with a static IP Address but use a local ks.cfg (kickstart) configuration file that will be included within the custom ISO.

Step 1 through 3 is exactly the same as above

Step 4 - By default, a basic ks.cfg is included in the ESXi 5 ISO in /etc/vmware/weasel/ks.cfg and we will create a custom *.tgz file that will include our ks.cfg within the ISO. First off by creating a temporary directory which will be used to store our ks.cfg:

$ mkdir -p temp/etc/vmware/weasel

Step 5 - Copy your ks.cfg file into the temp/etc/vmware/weasel:

$ cp ks_custom.cfg temp/etc/vmware/weasel

Step 6 - Create a *.tgz file containing the path to our ks.cfg using the "tar" utility. In this example, we will called it customks.tgz:

$ cd temp
$ tar czvf customks.tgz *

Step 7 -  Copy the customks.tgz from temp directory to your esxi_cdrom directory:

$ cp temp/customks.tgz esxi_cdrom

Step 8 Change into the "esxi_cdrom" directory and edit the boot.cfg just like the above, but we will be using the "file://" stanza to specify the path to our ks.cfg, static IP Address as well as adding our customks.tgz to the module list to ensure that it loads up which contains the actual ks.cfg file that is called in the boot.cfg.

Step 9 - Same as Step 5 above, you now just need to run the "mkisofs" utility to create your bootable ISO.

You now have a new bootable ESXi 5 ISO called "custom_esxi.iso" which will now automatically boot up with the specified static IP Address and install based on the ks.cfg that is included within the ISO.